UNIX system administrators may grant access to run certain executable files with expanded privilege via the sudo utility. Connect:Direct for UNIX has a vulnerability that could allow a user to escape this sudo executable file restriction and perform unauthorized commands with expanded privilege.
CVEID: CVE-2018-1903 DESCRIPTION: IBM Sterling Connect:Direct for UNIX could allow a user with restricted sudo access on a system to manipulate CD UNIX to gain full sudo access.
CVSS Base Score: 6.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/152532for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
IBM Sterling Connect:Direct for Unix 6.0.0
IBM Sterling Connect:Direct for Unix 4.3.0
IBM Sterling Connect:Direct for Unix 4.2.0
V.R.M.F
| APAR |Remediation/First Fix
—|—|—
6.0.0 | IT26865 | Apply 6.0.0.0.iFix017, available in cumulative iFix018 on Fix Central
4.3.0 | IT26865 | Apply 4.3.0.0.iFix027, available in cumulative iFix029 on Fix Central
4.2.0 | IT26865 |
Apply 4.2.0.4.iFix097, available in cumulative iFix098 on Fix Central
For IBM Sterling Connect:Direct for Unix versions 4.1.0 and older, IBM recommends upgrading to a fixed, supported version of the product.
None